The Community for Technology Leaders
RSS Icon
Issue No.03 - July-September (2011 vol.4)
pp: 243-254
Youakim Badr , INSA-Lyon, Villeurbanne, France
Frédérique Biennier , INSA Lyon, Villeurbanne, France
Samir Tata , Institut TELECOM, Evry, France
In response to increasing economical constraints, enterprise organization has evolved toward new structures such as networked enterprise, supply chains, virtual enterprise, or collaborative business organizations. This structural organization requires the interoperability of business processes (BPs)and information systems. Dealing with interoperability often leads to the deployment of Service-Oriented Architecture (SOA) based on Enterprise Service Bus (ESB) to design agile collaborative BPs and publish and compose new services. In order to protect each partner's own interests, security strategies must be developed and integrated in the service environment. Unfortunately, traditional security approaches deal with security concerns from a technical perspective (i.e., data transmission or authentication, etc.) and do not support end-to-end security in a distributed environment of business services and collaborative processes. In this paper, we attempt to improve end-to-end security by annotating service descriptions with security objectives used to generate convenient quality of protection (QoP) agreements between partners. Conversely, agreements are processed by a dedicated matching module with respect to security requirements and preferences to select business services, and then, compose their appropriate technical security services.
Computer security, data processing, distributed information system.
Youakim Badr, Frédérique Biennier, Samir Tata, "The Integration of Corporate Security Strategies in Collaborative Business Processes", IEEE Transactions on Services Computing, vol.4, no. 3, pp. 243-254, July-September 2011, doi:10.1109/TSC.2010.18
[1] M. Alam, R. Breu, and M. Hafner, "Modelling Permissions in a (U/X)ML World," Proc. Int'l Conf. Availability, Reliability, and Security (ARES '06), pp. 685-692, 2006.
[2] C. Alberts and A. Dorofee, "An Introduction to the OCTAVESM Method," white paper, CERT, methodintro.html , 2001.
[3] L. Ali and F. Biennier, "Integration of Security Requirements in Virtual Enterprises," Proc. Symp. and Exhibition on Advanced Packaging Materials (APMS '05), 2005.
[4] A. Andrieux, K. Czajkowski, A. Dan, K. Keahey, H. Ludwig, J. Pruyne, J. Rofrano, S. Tuecke, and M. Xu, "Web Services Agreement Specification (WS-Agreement)," http://www.ogf. org/documentsGFD.107.pdf , 2007.
[5] A. Dan, H. Ludwig, and J. Rofrano, "WS-Agreement Structure, Version 0.1," GRAAPWS-Agreement Structure.pdf, 2004.
[6] F. Biennier, X. Boucher, A. Hammami, and L. Vincent, "Towards a Modeling Framework for Networks of SMEs," Proc. IFIP TC5/WG5.5 Third Working Conf. Infrastructures for Virtual Enterprises: Collaborative Business Ecosystems and Virtual Enterprises (PRO-VE '02), pp. 11-18, 2002.
[7] CLUSIF, Mehari, ouvrages/pdfMEHARI.pdf, 2000.
[8] Common Criteria Organization, "Common Criteria an Introduction," views CCIntroduction.pdf, p. 20, 2000.
[9] Direction Centrale de la Sécurité des Systèmes d'Information (DCSSI), "Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS)," rapport technique, , 2004.
[10] US Department of Defense, Trusted Computer Security Evaluation Criteria - Orange Book, DOD 5200.28-STD report, 1985.
[11] US Department of Defense, NRL Security Ontology, , 2005.
[12] M. Dumas, W. Van Der Aalst, and A. ter Hofstede, Process Aware Information Systems: Bridging People and Software through Process Technology. Wiley-Interscience, Sept. 2005.
[13] Information Technology Security Evaluation Criteria (ITSEC), "Criteria and Methods of Evaluations of Information Systems," , 1991.
[14] D. Ferraiolo, J. Cugini, and R. Kuhn, "Role Based Access Control: Features and Motivations," Proc. Ann. Computer Security Application Conf., pp. 554-563, 1995.
[15] T. Gross, "Security Analysis of the SAML Single Sign-On, Browser/Artifact Profile," Proc. Ann. Computer Security Applications Conf. (ACSAC '03), pp. 298-307, 2003.
[16] ISO/IEC 17799, Standard- Information Technology, Code of Practice for Information Security Management, ISO, 2000.
[17] J.-Y. Jung, H. Kim, and S.-H. Kang, "Standards-Based Approaches to B2B Workflow Integration," Computers and Industrial Eng., vol. 51, no. 2, pp. 321-334, Oct. 2006.
[18] D. Li, S. Hu, and S. Bai, "A Uniform Model for Authorization and Access Control in Enterprise Information Platform," Proc. Int'l Conf. Eng. and Deployment of Cooperative Information Systems (EDCIS '02), pp. 180-192, 2002.
[19] A. Lin, R. Brown, "The Application of Security Policy to Role-Based Access Control and the Common Data Security Architecture," Computer Comm., vol. 23, pp. 1584-1593, 2000.
[20] A.P. Moore and R.J. Ellison, "Architectural Refinement for the Design of Survivable Systems," Technical Note SOFT01 (CMU/SEI-2001-TN-008), Software Eng. Inst., Carnegie Mellon Univ., 01.reports01tn008.html, Oct. 2001.
[21] Organization for the Advancement of Structured Information Standards (OASIS), "Security Assertion Markup Language (SAML)," http://xml.coverpages.orgsaml.html, 2002.
[22] Organization for the Advancement of Structured Information Standards (OASIS), "Extensible Access Control Markup Language (XACML) TC," home.php?wg_abbrev=xacml , 2008.
[23] Organization for the Advancement of Structured Information Standards (OASIS), "Service Oriented Architecture Reference Model TC, Reference Architecture for Service Oriented Architecture," Version 1.0, v1.0soara-pr-01.pdf, 2008.
[24] Open Grid Forum, "Web Services Agreement Specification (WS-Agreement),", 2007.
[25] L. Razmerita, "Services Contextualisés pour Utilisateurs et la Modélisation des Utilisateurs à Base d'Ontologie: Défis et Perspectives," Proc. EGC Workshop, 2005.
[26] M. Weske, "Business Process Management: Concepts, Languages," Architectures, Springer, 2007.
[27] Z. Zhou and S. Bhiri, "Space Based Process Mediator," Technical Report DERI-TR-2008-06-26, Digital Enterprise Research Inst., Galway Nat'l Univ., 2008.
[28] P. Herrmann and G. Herrmann, "Security Requirement Analysis of Business Processes," Electronic Commerce Research, vol. 6, nos. 3/4, pp. 305-335, Oct. 2006.
[29] C. Wolter, M. Menzel, A. Schaad, P. Miseldine, and C. Meinel, "Model-Driven Business Process Security Requirement Specification," J. Systems Architecture, vol. 55, no. 4, pp. 211-223, Apr. 2009.
[30] D. Huang, "Semantic Policy-Based Security Framework for Business Processes," Proc. Semantic Web and Policy Workshop (ICSW '05), Nov. 2005.
[31] D. Basin, J. Doser, and T. Lodderstedt, "Model Driven Security for Process-Oriented Systems," Proc. the Eighth ACM Symp. Access Control Models and Technologies, pp. 100-109, 2003.
[32] J. Jurjens, "UMLsec: Extending UML for Secure Systems Development," Proc. Fifth Int'l Conf. Unified Modeling Language (UML '02), pp. 412-425, 2002.
[33] A. Rodríguez, E. Fernández-Medina, and M. Piattini, "Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes," Proc. TrustBus, pp. 51-61, 2006.
[34] H. Lockhart et al., "Web Services Federation Language (WS-Federation)," software/dw/specs/ws-fedWS-Federation-V1-1B.pdf?S_TACT= 105AGX04&S_CMP= LP , Dec. 2006.
[35] S. Rieger, "User-Centric Identity Management in Heterogeneous Federations," Proc. Fourth Int'l Conf. Internet and Web Applications and Services, pp. 527-532, May 2009.
[36] A. Kim, J. Luo, and M.H. Kang, "Security Ontology for Annotating Resources," Proc. OTM Conf., vol. 2, pp. 1483-1499, 2005.
[37] "Petals ESB, the Open Source ESB for Large SOA Infrastructures," http:/, 2011.
[38] F. Jennings and D. Salter, Building SOAS-Based Composite Applications Using Netbeans IDE 6, p. 300, Packt Publishing, 2008.
[39] Y. Chabeb and S. Tata, "Yet Another Semantic Annotation for WSDL (YASA4WSDL)," Proc. IADIS WWW/Internet Conf., pp. 462-467, Oct. 2008.
[40] Y. Chabeb, S. Tata, and A. Ozanne, "YASA-M A Semantic Web Service Matchmaker," Proc. Int'l Conf. Advanced Information Networking and Applications (AINA '10), pp. 20-23, Apr. 2010.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool